BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Transcription

1 BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL

2 Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments

3 Visibility of malware vs malicious intent visibility and malicious intent fame and glory visibility mass-mailers (I love you, bugbear) Typosquatting Malicious intent worms (slammer, blaster) Phishing cybercrime highly profitable Botnets drive-by exploits directed trojans extended virus families crime Rootkits time

4 Bots What is it autonomous program (robot) performs actions without user intervention good or bad? in the security world: bot = mostly bad used for malicious / criminal purposes modular keyloggers, backdoors, packet sniffers update functionality large # of bots under one control = botnet

5 Bots - habitat bots prefer broadband bots are not picky, but prefer more recent OS unprotected / under protected machines Targets: home computers corporate networks government agencies universities..

6 Bots - spreading two tier approach [1] get a foothold [2] scan for more victims bots use a variety of vectors drive-by infection (exploiting vulnerabilities in browsers) network infection, scansploit (lsass, dcom, asn.1 etc ) IM, P2P (mostly useful for home computers)

7 Bots - spreading Lure end users into the trap using e.g. Spam

8 Bots - spreading Scanning for vulnerabilities and exploiting them

9 Bots - spreading And install a trojan dropper

10 Bots - spreading That downloads the bot software

11 Bots - spreading All bots together under one command and control server is called a botnet

12 Bots spreading Peer-to-Peer technology makes the botnet resilient to dismantling the Command and Control server

13 Bots - spreading Combination of Classical CNC and P2P is possible

14 Bots habits (2) Multi-functional: http useful for phishing smtp useful for spam and phishing webserver repository - piracy / data drop off ddos agent extortion packet sniffing / key logging / screen capturing information harvesting (serials, CD keys, banking info)

15 Bots- botconomics phishing and scams spam fake websites proxies Botnet-PC s ddos-attacks virusses, worms, backdoors, Information Harvesting

16 CASE 1: Toxbot - botnet Large botnet, made in Holland Conviction early 2007 Public Prosecutor: ten thousands of compromised computers, but probably millions extortion creditcard and transaction data stolen confidence in internet affected Press release: 1.5 Million unique IP addresses

17 Toxbot botnet information Bots reside in: Italy Netherlands France USA Belgium UK Eastern Europe Middle East

18 What it sniffed Banks ebay PayPal Hotmail / MSN Messenger Airlines / Various travel agencies Several Universities Yahoo! / Google Mail / Webmail in general Including.gov.cn,.gov.ae,.gov.in, etc Medical Transcription Services / Online pharmacies / Hospitals Online games / Poker / Betting Online dating / sex sites... & much more.

19 Bots - Scam and Spam Still very profitable Increase in targeted spam and scam

20 CASE 2: SPAM via botnet Conviction of a Dutch spammer febr billion spam s In 14 months He used a botnet of only 700 zombie pc s!

21 CASE 3: ddos via botnet Early October 2004 Target: several public government sites ddos attack almost for a week They used a botnet of 4000 bots! ddos: distributed Denial of Service

22 Overheid.nl 3 October 2004 Example

23 Bots - developments Botnets are the infrastructure for Cyber Crime Criminals will protect their assets Recent activity in the P2P space Encryption and root kit technology introduced Focus on small botnets to prevent detection Development is a professional business Improvement on functionality

24 Thank you! Douwe Leguit